Notices by Soatok Dreamseeker (soatok@furry.engineer)

@krypt3ia @jerry "Oops, our CEO kissed Tump's ass."

Huh. https://drewdevault.com/2025/01/16/2025-01-16-No-Billionares-at-FOSDEM-please.html

No, Graham did not know this was coming

https://chaos.social/@gsuberland/113745033234898338

Don’t Use Session (Signal Fork)

Last year, I outlined the specific requirements that an app needs to have in order for me to consider it a Signal competitor. Afterwards, I had several people ask me what I think of a Signal fork called Session. My answer then is the same thing I'll say today: Don't use Session. The main reason I said to avoid Session, all those months ago, was simply due to…

http://soatok.blog/2025/01/14/dont-use-session-signal-fork/

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman In that respect, symmetric cryptography is more boring than anything asymmetric, but a proof that P=NP would eventually utterly destroy both.

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman With asymmetric cryptography, you have even more uncertainty from a proofs perspective.

There is no proof that any given number theory operation is a good trapdoor. That's as true for RSA as it is for ECC.

Lattices, codes, isogenies, multivariate schemes, etc. were all considered candidates because they rely on mathematical structures that, even with quantum computers, are not breakable in 2128 queries (or more).

But then SIKE was broken by a laptop on a weekend. And so too was Rainbow.

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman It's not just the security against known attacks, it's "how does each component of this primitive behave, and what are the best strategies for defeating it?"

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman We use a lot of analytic approaches (e.g., bit diffusion in reduced rounds to compare ARX constructions, which help quantify the statistical confusion between inputs and outputs in the full round of a scheme) which are derived from successful attacks against insecure designs. A cipher is a secure as the cost of the best attack (exhaustive key search a.k.a. brute force is the default attack to consider).

@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman Ah. So it's all about that sunk cost, rather than the consensus of experts. I can't help you with that, as I don't own a time machine.

@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman What exaxtly do you mean "unproven"?

The consensus among lattice experts and cryptanalysts is that, while there is some algebraic structure to some schemes that might be interesting targets for future attacks, their security is pretty well understood. NTRU and whatnot have been around for longer than AES. Is AES "unproven"?

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman I'm preferring X-Wing in my designs, but I don't think hybrid should be required, esp in gov systens.

@lunarood @ryanc @gsuberland @f4grx Yeah I'm not continuing this particular series into the floats

@gsuberland @f4grx Download the bcrypt implementation from @ryanc and calculate a high cost so it takes like 3 hours per hash trial

Hot take:

I don't want my GPU to be measured in AI operations.

I don't want AI features.

It turns out, one of my 2022 blog posts was relevant to a NIST cipher modes announcement:

https://csrc.nist.gov/pubs/sp/800/38/d/r1/iprd

Oh no, what did i do?

Pour one out for the very serious pencil-pusher types that just got a face-full of cartoon dhole on their work computer from a NIST publication and are undoubtedly very upset with their life

Why is it that people who are so full of themselves are also so full of shit?

Well, I think that question answers itself.

So, there's been a very stupid development from a blog post I wrote years ago.

The Bi-Symmetric Encryption Fraud was a blog post I wrote in 2021 to study the claims made by CEW Systems about their so-called post-quantum encryption scheme. It's a wild ride.

Behold, the front page of their website (which is showing up in my referrer logs today): https://web.archive.org/web/20250102180928/https://www.cew-s.com/

A little after midnight on Christmas, I received an unsolicited "roast" for one of my open source libraries.

The roast was AI-generated.

Naturally, I decided to look into who's behind this spam campaign and expose them.

https://soatok.blog/2024/12/26/roasted-christmas-spam-from-muhu-ai/

#opensource #ai #spam #muhuai #tech #technology #enshitification